Professional Documents
Culture Documents
Disk Drive I/O Commands and Write Blocking
Disk Drive I/O Commands and Write Blocking
DISK D R I V E I / O C O M M A N D S
A N D W R I T E BLOCKING
1. Introduction
A write blocker allows access to digital data on a secondary storage
device while not allowing any changes to be made to the data on the
device. This is implemented by placing a hardware or software filter
between the software executing on a host computer and the secondary
storage device that is to be protected. The filter monitors all the I / O
commands sent from the application on the host machine and only allows
commands to the device that make no changes to its data. This paper
examines the I / O commands used to access secondary storage devices
and discusses their implications for write blockers.
This research is part of the Computer Forensics Tool Testing (CFTT)
Project at the National Institute of Standards and Technology (NIST),
which is developing methodologies for testing forensic tools and devices.
C F T T is a joint project of the Department of Justice's National In-
stitute of Justice (NIJ) and NIST's Office of Law Enforcement Stan-
dards and the Information Technology Laboratory. C F T T is supported
by other organizations, including the Federal Bureau of Investigation,
Department of Defense Cyber Crime Center, Internal Revenue Service
Lyle, J., Mead, S., Rider, K., 2007, in IFIP International Federation for Information Processing, Volume 242, Advances
in Digital Forensics III; eds. P. Craiger and S Shenoi; (Boston: Springer), pp. 163-177.
164 ADVANCES IN DIGITAL FORENSICS III
2. Background
A hard drive is usually attached to a computer by a cable to an inter-
face controller located either on the system motherboard or on a separate
adapter card. The most common physical interfaces are the ATA (AT
Attachment) and IDE (Integrated Drive Electronics) interfaces, includ-
ing variants such as ATA-2, ATA-3 and EIDE (Enhanced IDE). Other
physical interfaces include SATA (Serial ATA), SCSI (Small Computer
System Interface), IEEE 1394 (also known as FireWire or i-Link) and
USB (Universal Serial Bus).
All access to a drive is accomplished by commands sent from the
computer to the drive via the interface controller. However, since the
low-level programming required for direct access through the interface
controller is difficult and tedious, each operating system usually provides
other access interfaces. For example, programs running in a DOS en-
vironment can use two additional interfaces: the DOS service interface
(interrupt 0x21) and the BIOS service interface (interrupt 0x13). The
DOS service operates at the logical level of files and records while the
BIOS service operates at the physical drive sector level. More complex
operating systems such as Windows XP and UNIX variants (e.g., Linux
and FreeBSD) may disallow any low level interface (through the BIOS
Lyle, Mead & Rider 165
or the controller) and only permit user programs to access a hard drive
via a device driver that manages all access to a device.
There are five basic strategies for ensuring that digital data on a
secondary storage device is not modified during a forensic acquisition:
the hard drive; otherwise the blocker returns to the calhng program
without passing the command to the hard drive.
While write commands to a device should always be blocked, it is not
clear how a write blocker should treat other commands. The 0x13 BIOS
interface uses an eight-bit function code (with 256 possible commands).
Beyond a core set of commands, most function codes are not used. How-
ever, as technology changes, new core commands are often introduced
and other commands are no longer implemented. BIOS vendors may
implement additional commands as desired. Vendors often introduce
system components that implement new commands; also, vendors may
enhance the functionality of existing commands. The most significant
change to the core command set was the introduction of extended com-
mands (0x41—0x49) for accessing hard drives larger than 8 GB.
The command set for a typical BIOS [7] is presented in Table 1. Note
that only 22 of the possible 256 command codes are defined. Each
command belongs to one of the following six categories:
Lyle, Mead & Rider 167
Task
C o p y / E d i t Tools:Copy *.* to image disk, DOS
C o p y / E d i t Tools:Edit High Sector, Norton Disk Editor
C o p y / E d i t Tools:Edit Low Sector, Norton Disk Editor
Imaging Tools: Drive (Entire), EnCase 3.22
Imaging Tools:Drive(Entire), EnCase 4.14
Imaging Tools:Drive(Entire), SafeBack 3.0
Imaging Tools-.Partition-High, EnCase 3.22
Imaging Tools:Partition-High, EnCase 4.14
Imaging Tools:Partition-High, SafeBack 3.0
Imaging Tools:Partition-Low, EnCase 3.22
Imaging Tools:Partition-Low, EnCase 4.14
Imaging Tools:Partition-Low, SafeBack 3.0
Induced Drive Read Error:Drive(Entire), SafeBack 3.0
• Both the regular write commands were observed, but the Write
Long command was not observed. It is unlikely that the Write
Long command would be issued by a forensic tool as it should
only be used on rare occasions.
• Other commands, e.g.. Format Cylinder, that could write to a hard
drive should not be issued by forensic tools and were not observed.
• The fact that certain commands were not seen in the experiment
does not mean that are never encountered. The missing commands
likely manifest themselves with other programs and/or hardware.
Six software write blockers were tested against the NIST C F T T soft-
ware write blocker specifications [1, 6]. The observation from testing
interrupt 0x13 write blockers is that, although there is agreement on
the treatment of common commands used by write blockers, there are
minor differences in the treatment of the less frequently used commands.
The results are presented in Table 4. The "Spec" column has an "A" for
commands that should be allowed and a "B" for commands that should
Lyle, Mead & Rider 169
0.4 tool was created before the extended BIOS commands were intro-
duced. Table 4 also documents a change in the design criteria used by the
RCMP. Versions 0.4 and 0.5 were designed to block known write com-
mands and allow everything else. However, starting with version 0.7,
the criteria changed to allow known safe commands and block every-
thing else; this change occurred because of the uncertainty surrounding
the actions of some of the more esoteric commands. As shown in Table
3, several commands were never issued by programs that would be com-
monly used during an acquisition or initial examination of a hard drive.
Although the unused commands may not change data on the hard drive,
Lyle, Mead & Rider 171
The remainder of this section focuses on write blockers that use the
ATA protocol for communicating with the host and the hard drive. Ta-
ble 5 lists the seven releases of the ATA standard [8]; an eighth standard
is currently under development.
The ATA protocol has 256 possible command codes. In the ATA-7
standard, approximately 70 codes are defined as general use commands
(commands that are not reserved, retired, obsolete or vendor-specific).
In addition, there are more than 30 retired or obsolete codes that were
defined in the earlier standards.
Table 6 lists the write commands specified in the seven ATA stan-
dards. An "S" indicates that the listed command (row) is supported for
the given ATA standard (column). Note that only four commands are
defined in all seven standards. Also note that three standards introduced
new write commands beyond the original commands and three standards
172 ADVANCES IN DIGITAL FORENSICS III
1 2 3 4 5 6 7 Code Name
N N N N N N S 3A Write Stream DMA Ext
N N N N N N S CE Write Multiple FUA Ext
N N N N N N s 3E Write DMA Queued FUA Ext
N N N N N N s 3D Write DMA FUA Ext
N N N N N N s 3B Write Stream Ext
N N N N N S s 34 Write Sector(s) Ext
N N N N N S s 3F Write Log Ext
N N N N N s s 39 Write Multiple Ext
N N N N N s s 36 Write DMA Queued Ext
N N N N N s s 35 Write DMA Ext
N N N S S s s CC Write DMA Queued
S S N N N N N E9 Write Same
S S S N N N N 33 Write Long (w/o Retry)
s s S N N N N 32 Write Long (w/ Retry)
s s s N N N N 3C Write Verify
s s s S N N N 31 Write Sector(s)
s s s S N N N CB Write DMA (w/o Retry)
s s s s S S S E8 Write Buffer
s s s s S s s 30 Write Sector(s)
s s s s s s s C5 Write Multiple
s s s s s s s CA Write DMA (w/ Retry)
BIOS to drive 0 of the primary ATA channel. Note that the BIOS
did not issue any write commands to the hard drive for all the systems
examined.
We also used the protocol analyzer to observe commands issued by
several operating systems (DOS 6.22, PCDOS 6.3, FreeBSD 5.21, Red-
Hat Linux 7.1, Red Hat Personal Desktop Linux 9.1, Windows 98, Win-
dows NT 4.0, Windows 2000 and Windows XP Pro) during boot and
shutdown. The results of our investigation are presented in Table 8.
Neither PCDOS 6.3 nor DOS 6.22 issued any write commands during
startup and shutdown. Also, note that the newer operating systems
use the faster Write DMA (OxCA) command instead of the slower Write
(0x30) command.
Several test reports for hardware-based write block devices have been
published by NIJ [1]. These blockers were tested against a specifica-
tion [5] developed by the C F T T Project. Some interesting results are:
• One write blocker substitutes the Read DMA (0xC8) command for
the Read Multiple (OxC4) command [3].
• One write blocker disallows certain read commands [3] (see Table
9).
174 ADVANCES IN DIGITAL FORENSICS III
5. Conclusions
Our work has focused on BIOS-based and hardware-based write block-
ers. We have used monitoring software to record BIOS command usage
by BIOS-based write blockers in a DOS environment, and a protocol
176 ADVANCES IN DIGITAL FORENSICS III
References
[1] National Institute of Justice (NIJ), Computer Forensic Tool Testing
Project (www.ojp.usdoj.gov/nij/topics/ecrime/cftt.htm).
[2] National Institute of Justice (NIJ), Test Results for Hardware Write
Block Device: FastBloc IDE (Firmware Version 16)^ NIJ Report
NCJ 212956, Washington, DC (www.ncjrs.gov/pdffilesl/nij/212956
.pdf), 2006.
[3] National Institute of Justice (NIJ), Test Results for Hardware Write
Block Device: MyKey NoWrite (Firmware Version 1.05), NIJ Re-
port NCJ 212958, Washington, DC (www.ncjrs.gov/pdffilesl/nij
/212958.pdf), 2006.
Lyle, Mead & Rider 177